In Terraform 0.14, you will be able to define a sensitive
argument on variable
blocks, which would redact that value from CLI output. In the current alpha release, you can use this feature by turning on it in the experiments
section of the terraform
block:
terraform {
experiments = [sensitive_variables]
}
With the experiment enabled, you’ll be able to add the sensitive
argument to any variable block:
variable "something_not_to_print" {
default = "special value"
sensitive = true
}
You’ll only need the experiments
setting for alpha release usage – beta+ 0.14 releases will not have this as experimental.
Setting a variable as sensitive
prevents Terraform from showing its value in the plan
or apply
output, when that variable is used within a configuration.
Sensitive values are still recorded in the state, and so will be visible to anyone who is able to access the state data. For more information, see Sensitive Data in State.
A provider can define an attribute as sensitive, which prevents the value of that attribute from being displayed in logs or regular output. The sensitive
argument on variables allows users to replicate this behavior for values in their configuration, by defining a variable as sensitive
.
Define a variable as sensitive by setting the sensitive
argument to true
:
variable "user_information" {
type = object({
name = string
address = string
})
sensitive = true
}
resource "some_resource" "a" {
name = var.user_information.name
address = var.user_information.address
}
Using this variable throughout your configuration will obfuscate the value from display in plan
or apply
output:
Terraform will perform the following actions:
# some_resource.a will be created
+ resource "some_resource" "a" {
+ name = (sensitive)
+ address = (sensitive)
}
Plan: 1 to add, 0 to change, 0 to destroy.
In some cases where a sensitive variable is used in a nested block, the whole block can be redacted. This happens with resources which can have multiple blocks of the same type, where the values must be unique. This looks like:
# main.tf
resource "some_resource" "a" {
nested_block {
user_information = var.user_information # a sensitive variable
other_information = "not sensitive data"
}
}
# CLI output
Terraform will perform the following actions:
# some_resource.a will be updated in-place
~ resource "some_resource" "a" {
~ nested_block {
# At least one attribute in this block is (or was) sensitive,
# so its contents will not be displayed.
}
}
Cases where Terraform may disclose a sensitive variable
A sensitive
variable is a configuration-centered concept, and values are sent to providers without any obfuscation. A provider error could disclose a value if that value is included in the error message. For example, a provider might return the following error even if “foo” is a sensitive value: "Invalid value 'foo' for field"
If a resource attribute is used as, or part of, the provider-defined resource id, an apply
will disclose the value. In the example below, the prefix
attribute has been set to a sensitive variable, but then that value (“jae”) is later disclosed as part of the resource id:
# random_pet.animal will be created
+ resource "random_pet" "animal" {
+ id = (known after apply)
+ length = 2
+ prefix = (sensitive)
+ separator = "-"
}
Plan: 1 to add, 0 to change, 0 to destroy.
...
random_pet.animal: Creating...
random_pet.animal: Creation complete after 0s [id=jae-known-mongoose]
Known bugs/future work
As this is pre-release work, there are a few major known issues to note that we intend to either resolve, or provide logical errors (thus saving you time in reporting here ).
Using sensitive variables in some expressions
Using a sensitive variable in some functions, such as join
, or in a for
expression will not work and either panic or have a confusing error at the moment.
Changing sensitivity without changing the value
If the only thing that has changed about a variable from one plan to the next is the sensitive
attribute, Terraform’s understanding of the “sensitivity” of the variable will not change until the value of the variable changes. This will be fixed by the beta release of 0.14.
Thanks for checking it out!
Pam Selle, Terraform Core Team